Losing the Initialization Vector in Cipher Block Chaining
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 3 hours ago
Johnny
701116
edited 3 hours ago
Johnny
701116
edited 3 hours ago
Johnny
701116
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 43 mins ago
Z.T.Z.T.
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 38 mins ago
schroeder♦
78.9k30175211
answered 6 hours ago
TheWolfTheWolf
853512
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
answered 6 hours ago
JohnnyJohnny
701116
answered 6 hours ago
JohnnyJohnny
701116
answered 6 hours ago
JohnnyJohnny
701116
701116
add a comment |
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 43 mins ago
Z.T.Z.T.
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 43 mins ago
Z.T.Z.T.
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 43 mins ago
Z.T.Z.T.
1,948816
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 43 mins ago
Z.T.Z.T.
1,948816
answered 43 mins ago
Z.T.Z.T.
1,948816
answered 43 mins ago
Z.T.Z.T.
1,948816
answered 43 mins ago
Z.T.Z.T.
1,948816
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
add a comment |
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
15 mins ago
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 38 mins ago
schroeder♦
78.9k30175211
answered 6 hours ago
TheWolfTheWolf
853512
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 38 mins ago
schroeder♦
78.9k30175211
answered 6 hours ago
TheWolfTheWolf
853512
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 38 mins ago
schroeder♦
78.9k30175211
answered 6 hours ago
TheWolfTheWolf
853512
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 38 mins ago
schroeder♦
78.9k30175211
answered 6 hours ago
TheWolfTheWolf
853512
edited 38 mins ago
schroeder♦
78.9k30175211
edited 38 mins ago
schroeder♦
78.9k30175211
edited 38 mins ago
schroeder♦
78.9k30175211
78.9k30175211
answered 6 hours ago
TheWolfTheWolf
853512
answered 6 hours ago
TheWolfTheWolf
853512
answered 6 hours ago
TheWolfTheWolf
853512
853512
add a comment |
add a comment |
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
